1UC1F3R616

Threats

1. Injection Attacks
2. Insertion of logical bombs
3. Identity theft
4. Authentication failure
5. Privilage Escalation

Level	Application
Mandatory	The mandatory rules must be applied

1UC1F3R616

3 Major Types

• Interaction Designer: user interaction
• Visual Designer: looks ex font, colors
• Motion Designer: smooth transition

UX Researcher (conducts studies or interviews to help in knowing how people use the product) -> UX Writer (Think about how to make the language within a product clearer: make user experience moe intuitive) -> Product Desginer (Assets are handed off to engerineering team) -> UX Engineer (Translate the design's intent into a functioning experience ex web,app) -> UX Program Mangers (writing program goals)

Product development lifecycle

• Brainstorming: UX Researchers are heavily involved
• Define: who is it for, what it do, critical features

1UC1F3R616

Finding what websites you can hunt as a BBH

Google Dorks

• "responsible disclosure program" | "vulnerability disclosure program" | "vulnerability program rewards" | "bug bounty reward program"
• inurl: vulnerability disclosure inurl: responsible disclosure

Recon

Discovering Subdomain and Content

• amass enum -brute -active -d domain.com -o amass-output.txt

1UC1F3R616

HTTP Headers

• Servers can send HTTP headers to provide the client with additional metadata around the response. Besides sending the content that the client requested, servers are then allowed to specify how a particular resource should be read, cached or secured.
• They have been implemented by browsers in order to make it harder for attackers to take advantage of vulnerabilities.

HSTS

• HTTP Strict Transport Security.
• A simple Strict-Transport-Security: max-age=3600 will tell the browser that for the next hour (3600 seconds) it should not interact with the applications with insecure protocols.
• To Check: https://hstspreload.org/?domain=facebook.com
• Prevents: MITM, Eavesdropping attack

1UC1F3R616

• install f-droid from here
  • connect device via usb
  • adb install apk_name
• install termux from f-droid
• pkg install openssh
• sshd
• pkill sshd : to kill the server
• ifconfig : see ap0 ip-address or try some other if this don't work
• whoami : ur username
• passwd # if u want to create a password, uname -a gives complete username

1UC1F3R616

adb help // List all comands

== Adb Server
adb kill-server
adb start-server 

== Adb Reboot
adb reboot
adb reboot recovery 
adb reboot-bootloader

1UC1F3R616

What made me curious about Rust

• This Podcast: Software Engineering Radio Episode 490: Tim McNamara on Rust 2021 Edition
• I learnt from https://doc.rust-lang.org/book/title-page.html

Installation on Linux

• curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
• source $HOME/.cargo/env
• export PATH="$HOME/.cargo/bin:$PATH"

Some points

1UC1F3R616

Using Select to get output from multiple channels based on when they are ready:

package main

import (
	"fmt"
	"time"
)

1UC1F3R616

To do so: 

1. Export your Burp Certificate
Proxy > Options > CA Certificate > Export in DER format

2. Convert it to PEM
openssl x509 -inform der -in cacert.der -out burp.pem

3. Download it on the device 

1UC1F3R616

// Basic Types
let id: number = 5
let company: string = 'Traversy Media'
let isPublished: boolean = true
let x: any = 'Hello'

let ids: number[] = [1, 2, 3, 4, 5]
let arr: any[] = [1, true, 'Hello']

// Tuple